Security Recommendations

[Jeyk]

I've never been the victim of any sort of fraud until recently; I got alerts on my phone about suspicious transactions on my bank account, and sure enough, someone had used my bank card to make a couple of purchases for digital goods on Amazon at 4:00 a.m. - I of course locked the card, and got all but one of my purchases reversed (one is still pending).

Oddly enough, my wife and I put down a deposit for a privacy fence on our new home the afternoon before using this very card, which I haven't used for anything in months.  However when I did this, I read the card number out loud over the phone to the fence company representative we've been working with for a while now (we've met with these folks many times, so I knew who we were talking to - and they are a large and reputable company in our area) - the kicker, though, is that I had an Amazon Echo device in the room we were in, and now I can't help but think of all the possibilities and vulnerabilities on the table. 

While there may have very well been a number ways my card could have been compromised from long ago as I've had it for years (or, perhaps the fence company has some security issues on their end, etc.), the timing of it all, the fact that the card has not been used in months, and that the card number was just read out loud over the phone in a room where I've got an Amazon Echo mere hours before the fraud occurred has me overthinking this from every angle.  Furthermore, I live in a subdivision with little space between the homes to boot, so I can see a number of Wi-Fi networks pop up when I go to seek my own connection, and it makes me wonder - how secure is my internet from not just general threats, but ones near me?  The answer, at least to me now, is: clearly not secure enough, especially when I've got all these neat little devices and cameras inside and outside of my home, hooked up to my Wi-Fi, just begging to be potentially used or exploited by someone who can jump onto my poorly secured network.

With all that being said, my point is this; Broin isn't the old man around here anymore these days!  I need to get up-to-date on some basic, but effective, internet security.  I'm thankful that I've still got my fellow Angels to lean in to and trust with questions like this!

Can you all provide me with some suggestions regarding Firewall, Antivirus, Malware, and VPN software I should be keeping in my Security Swiss Army Knife?  I know some things are free, and free is great - but I'm also okay with paying for some services as well.  Recommendations for both would be stellar, if reliable versions of each service exists!  Any other suggestions or software related to security that I may be missing is also welcome!

Thank you in advance for any recommendations!

[Ash]

Hey Jeyk, sorry you're having to deal with that whole fraudulent transaction mess. I've had it happen once or twice and it's always a pain in the ass.

I recognize that your post is over a month old, so if you've already taken care of your security concerns than the following advise is for anyone else who may one day ask.

So here goes...

Advice No. 1: Eliminating (or greatly reducing the headache of ever having to deal with fraudulent transactions ever again).  Now you said "bank card" which I take to mean "debit" card, if this is not the case then obviously this advise has a little less value, but regardless...Stop using a debit card to pay for things, and instead use a "credit" card for ALL of your purchases.  I could go into all the details why, but honestly this video does a way better job of explaining it.  https://youtu.be/3Ga-M2CpRgY?si=NjbXlIqAcERpdWAh.  The important thing to remember is that you MUST pay off your card every time you get paid, so that no interest charges are ever incurred, in so doing, you spend no more money than you would have if using your normal debit card.  I get paid twice a month, and so I make sure my card is paid off twice a month.

Advice No. 2: Get yourself a firewall, one that isn't provided by your Internet Provider.  I recommend a company called Firewalla, https://firewalla.com, lets you easily manage Internet traffic for every device on your network individually or as a whole.  It also alerts you any time a new device connects or when there is an unusual spike in network traffic to any specific device. They are not enterprise-level devices by any means but by and large a great product for the home, especially for those of us who have too many tech devices. 

Advice No. 3: Get rid of, or disable, any and all tech that listens for verbal commands; none of them (and I really mean none of them) are secure. For mobile devices, change any voice assistant settings (this includes Ai chat bots now) that are constantly in listening mode, instead change them to be button-activated only.

Hope this helps or at least gives you some ideas. 

[Jeyk]

Thank you, Ash!

Yes, it was indeed my debit card; I do actively utilize a credit card in this fashion for all purchases and pay off the monthly amount (and take advantage of the nice little rewards system, when I can).  I was thankfully able to recover all fraudulent charges.  This was a one-off deposit payment for the fence, and I merely wanted to avoid the additional percentage fee that the credit card would have incurred - however, I overlooked the fact that I was just making myself vulnerable.  It's wild to think just how easy it is to leave yourself vulnerable these days (and how often many of us likely constantly do in other ways).

Yeah, the verbal commands are a nice convenience that the wife and family enjoy (myself included), but I've always been a bit leery of them, and am increasingly so.  It may be time to just wipe them out and replace a couple of frequented ones with traditional Bluetooth speakers for music, at the very least.

Thank you for the recommendation on the Firewalla products - I will absolutely do a dive into their lines and nab something.

Good looking out man, very much appreciated!

[NoCry]

No advice i am afraid. But big hugs to you all!

[Jeyk]

No advice i am afraid. But big hugs to you all!

Nocry!  No worries - big hug reciprocated, my friend!

[Tbone]

Well, I'm very late to this topic but have been dealing with similar issues myself.

My computer has been hacked twice in the last six months. The first time I downloaded some software from a new source that I didn't vet ahead of time. Turn out it installed a RaT on my PC (remote access). The hacker waiting a few weeks waiting for the right time to take over. When they did, I was away at rehearsal. My Google messages was connected to my PC, so they were able to use that for 2FA to connect my credit card to their device. Luckily I got a notification about the 2FA and ran out of rehearsal and went through a 24 hour process of locking everything down, including having my girlfriend unplug my PC ASAP. They had stolen all my Chrome credentials (passswords, etc.)

The second time was recently via Discord. Someone who I worked with briefly with a startup company DMed me about trying an indie game their sister made and leaving a review for her birthday. It sounded sus, so I used VirusTotal to scan it and it came back clean. Well...it turns out the virus was so new it just wasn't reported yet. That gave me a false sense of security. The virus tried to steal my credentials (luckily I had that locked down, so they only got some old Microsoft Edge passwords). The hacker hijacked my Discord, deleted my server list, friend list, and DM list and DMed me to try and blackmail me to get my stuff back. I couldn't believe I had gotten hacked again...

So anyway, here are the steps I'm taking...

1. Don't use a common browser. I'm using Perplexity's Comet now as most viruses don't know to look for that.

2. Never leave your PC unlocked if unattended. I have it set to auto-lock now when my phone leaves my office. I'm setting up biometrics to unlock my PC.

3. Use an encrypted password manager for passwords. I'm setting up Bitwarden now. I'm setting it up to use biometrics to avoid a keylogger getting my master password.

4. Set up 2FA with authenticator app or hardware key. I'm using an app at the moment, as a hardware key seems overkill for me. Obviously have your reset key written down and hidden somewhere (I lost another Discord account when I didn't do that). Don't use texts for 2FA and have a pass/biometric lock on your 2FA account as well.

5. Set up notifications for any bank/credit card transactions. Early warnings can help you lock down things fast.

6. Scan and double scan everything. Unless it's from a reputable site, scan anything before you open it. Looking back at VirusTotal, I should have gone to the "behavior" tab and then I would have seen the suspicious behavior the file was doing. Use AI to check the results and it can tell if you if you should avoid the file.

7. Ask AI to help. AI is getting pretty good at being helpful at things like this. The second time I was hacked, I used AI to help me analyze my traffic to make sure I didn't have a RaT, to completely eliminate the virus, to do multiple scans, etc. It might be worth it to just ask AI to walk you through all the steps to make sure you don't have malicious software already hiding on your computer.

8. But don't give AI access to your PC. This is more future-proofing, but AI will absolutely be used as an exploit for future hackers. I'm already worried about Perplexity's Comet browser backfiring in that way. Prompt injections are becoming popular and can really screw you over quick if you give AI too much access.

That's all I can think of off the top of my head. Good luck! It's a nightmare...